What are the key differences between Falco and tetragon?

[rkdutta]

I am trying to understand the differences between Falco and tetragon. Let’s say, falco is meant for this and it cannot do this like tetragon. Can I get some help? Kindly try to provide elaborate answers for comprehension. They are different tools but somehow I am not understanding the core differences.

[aidanhall34]

Hey, I'm not a maintainer, just looking for answers to the same question. The best comparison for the products I have gotten so far is: https://ebpf.io/applications/

If I understand it correctly: Falco uses ebpf to watch syscalls, then sends violations to your output stream of choice (logs, Falco exporter etc) Tetragon uses ebpf to watch syscalls, but is able to enforce rules (eg block X syscall etc) and alert on events.

Tldr: Falco: watch Tetragon: watch and enforce

If a maintainer would like to clarify that'd be appreciated

[cloud-66]

i didn't trye tetragon yet. I tried falco and kubearmor. I thought kubearmor is the only tool that can be able not only audit but block. But I found out that tetragon also be able to block. So as i see main differences falco: only audit a lot of diffirent ways to get alert (falcosidekick) tetragon\kubearmor: audit and block, lack of alerts So now I m looking close to tetragon and kubearmor, because i need opportunity to block.

[weinong]

kubearmor doesn't require privileged container like tetragon does. https://docs.kubearmor.io/kubearmor/quick-links/differentiation